Skip to content

Verification | Sinch (2.0.1)

Sinch offers a platform for phone number verification. It consists of different software development kits (the Sinch SDKs) that you integrate with your smartphone or web application and cloud based back-end services as well as a REST API. Together, they enable SMS, Flashcall, Phone Call, and Data verification in your application.

Verify users with SMS, flash calls (missed calls), a regular call, or data verification. This document serves as a user guide and documentation on how to use the Sinch Verification REST APIs.

The Sinch Verification API is used to verify mobile phone numbers. It's consumed by the Sinch Verification SDK, but it can also be used by any backend or client directly.

The Sinch service uses four different verification methods:

  • SMS: Sending an SMS message with a OTP code
  • FlashCall: Placing a flashcall (missed call) and detecting the incoming calling number (CLI)
  • Phone Call: Placing a PSTN call to the user's phone and playing a message containing the code
  • Data: By accessing internal infrastructure of mobile carriers to verify if given verification attempt was originated from device with matching phone number
Note:

If you want to use data verification, please contact your account manager.

Authentication

For general information on how to use the Sinch APIs including methods, types, errors and authorization, please visit the Authentication page.

Available authentication methods are:

Authorization

You can set the minimum required authentication level in the Dashboard. Verification API rejects requests using weaker authentication methods than configured. Some endpoints may require stronger authentication than the set minimum.

FlashCall verification

With the flashCall verification method, a user's phone number is verified by triggering a "missed call" towards this number. The call is automatically intercepted by the Android SDK in the mobile app and blocked automatically. iOS and JavaScript use cases require manual interaction where user has to enter incoming phone call number in the application.

To initiate a flashCall verification, visit Android SDK documentation. For additional security, it's recommended that you control which verification requests should proceed and which ones not, by listening in your backend for the Verification Request Event and respond accordingly. Your backend will be notified on the result of the verification with the Verification Result Event.

SMS verification

With the SMS verification method, a user's phone number is verified by sending an SMS containing an OTP code to this number. In the case of iOS or JavaScript, the user needs to enter the OTP manually or semi-manually in the application, while for Android there is an option of intercepting the SMS message delivery and capturing the OTP code automatically.

To initiate an SMS verification, check the iOS or Android documentation. For additional security, it's recommended that you control which verification requests should proceed and which ones not, by listening in your backend for the Verification Request Event and respond accordingly. Your backend will be notified on the result of the verification with the Verification Result Event.

Set SMS language

It's possible to specify the content language for SMS verification. The desired language is set in the initiate verification request 'Accept-Language' header. Setting this header is optional. If not included the application's default SMS content language is used, which by default is en-US. If an SMS template for the desired language is not found it's defaulted to 'en-US' unless a different default language has been defined for the requesting application. More information on the 'Accept-Language' header can be found from IETF and the HTTP/1.1 documentation.

Note:

The content language specified in the API request or in the callback can be overridden by carrier provider specific templates, due to compliance and legal requirements, such as US shortcode requirements.

Example - SMS verification specifying content language

Headers: ... Accept-Language: es-ES ... [POST]
https://verification.api.sinch.com/verification/v1/verifications
{
  "identity": { "type": "number", "endpoint": "+46700000001" },
  "method": "sms"
}

The actual language that was selected is returned in the Content-Language HTTP content header. As outlined above, this may differ from the requested language due to either that language not having SMS content defined, or it being overridden by provider requirements.

Example - SMS verification response with selected content language

Response

Headers: ... Content-Length: 103 Content-Language: es-ES Content-Type:
application/json; charset=utf-8 Expires: -1 ...
{
  "id": "1087388",
  "sms": {
    "template": "Tu código de verificación es {{CODE}}.",
    "interceptionTimeout": 120
  }
}

Phone Call verification

With the Phone Call verification method, a user's phone number is verified by receiving a phone call and hearing a pre-recorded or text-to-speech message containing OTP code. The user is then expected to enter this code in the application.

To initiate a Phone Call verification, check the Start Verification documentation. For additional security, it's recommended that you control which verification requests should proceed and which ones not, by listening in your backend for the Verification Request Event and respond accordingly. Your backend will be notified on the result of the verification with the Verification Result Event.

Data verification

With the data verification method, a user's phone number is verified by mobile carrier's infrastructure itself. This method requires cellular data usage on end-user's device and is currently limited in its coverage.

Note:

If you want to use data verification, please contact your account manager.

How to use the Verification APIs

In combination with the Mobile or Web SDK (recommended)

The following diagram shows how to use the Verification APIs when using the iOS, Android or JavaScript SDKs to initiate a verification.

verification.png

Important!

In this scenario, the Verification Request and Report Verification APIs don't need to be called explicitly by the app, since the SDK is handling that for you.

If you have configured a verification callback URL in the Sinch Portal (recommended), with every verification that's initiated by the app, Sinch will send a Verification Request Event to your backend, to get permission to perform the verification. If your backend allows the verification request to proceed, Sinch will trigger a flashcall, SMS or call towards the phone to be verified. Once the phone receives the flash-call, SMS or voice call, the SDK will report back the CLI or OTP respectively so that the Sinch dashboard can compare its validity. The Sinch backend responds with the result of the verification to the client and sends a Verification Result Event to your backend. The status of a verification can also be queried ad-hoc by using the "Query Verification" APIs.

Without the mobile or web SDK

If you are not using the mobile or web Verification SDKs, then you need to implement all the client logic for intercepting calls (in case of flashcalls) and reporting the CLI or OTP (in case of SMS or Phone Call verification) inside your app. The following diagram shows how to use Sinch Verification in this scenario.

verification_without_sdk.png

The verification requests will be triggered from your backend towards Sinch with the Verification Request API, by doing a signed request. Sinch dashboard will respond with the CLI filter (for flashcalls) or the template (in case of an SMS), or the polling intervals (in case of a Phone Call). As soon as the flashcall or SMS is received by your app, your backend will need to report back to Sinch the CLI or OTP that was reported through the Report Verification API. Sinch will respond with the result of the verification.

Download OpenAPI description
Languages
Servers

https://verification.api.sinch.com/

Verifications start

Start new verification requests.

Operations

Verifications report

Report on existing verification requests.

Operations

Verification status

Get the status of specific verification requests in the verification process. Returns the status of pending and completed verifications. You can retrieve the status of verification requests by using the ID of the request, the phone number of the user being verified, or a custom reference string.

Operations

Verification callbacks

Callback events are used to authorize and manage your verification requests and return verification results.

Webhooks

Request

This callback event is a POST request to the specified verification callback URL and is triggered when a new verification request is made from the SDK client or the Verification Request API. This callback event is only triggered when a verification callback URL is specified in your dashboard.

Bodyapplication/jsonrequired
idstringrequired

The ID of the verification request.

Example: "1234567890"
eventstringrequired

The type of the event.

ValueDescription
VerificationRequestEvent

Event received onto verification request

Example: "VerificationRequestEvent"
methodstring(VerificationMethodReport)required

The type of the verification.

Enum ValueDescription
sms

Verification by SMS message with an OTP code.

flashcall

Verification by placing a flashVerificationResultEvent call (missed call) and detecting the incoming calling number (CLI).

callout

Verification by placing a PSTN call to the user's phone and playing an announcement, asking the user to press a particular digit to verify the phone number.

Example: "sms"
identityobject(Identity)required

Specifies the type of endpoint that will be verified and the particular endpoint. number is currently the only supported endpoint type.

identity.​typestringrequired

Currently only number type is supported.

ValueDescription
number

Identity is of number type

identity.​endpointstringrequired

For type number use an E.164-compatible phone number.

Example: "+11235551234"
referencestring(VerificationEventReference)

Used to pass your own reference in the request for tracking purposes. Must be a unique value for each started verification request. The value must be encodable in the URL path segment. This value is passed to all events and returned from the status and report endpoints. The reference can be used to check the status of verifications, like with ID or identity.

customstring(VerificationEventCustom)

Can be used to pass custom data in the request. Will be passed to all events. Max length 4096 characters, can be arbitrary text data.

priceobject(Price)
acceptLanguageArray of stringsDeprecated

Allows you to set or override if provided in the API request, the SMS verification content language. Only used with the SMS verification method. The content language specified in the API request or in the callback can be overridden by carrier provider specific templates, due to compliance and legal requirements, such as US shortcode requirements (pdf).

Example: ["es-ES"]
application/json
{ "id": "1234567890", "event": "VerificationRequestEvent", "method": "sms", "identity": { "type": "number", "endpoint": "+11235551234" }, "reference": "string", "custom": "string", "price": { "currencyId": "USD", "amount": 0.0127 }, "acceptLanguage": [ "es-ES" ] }

Responses

A successful response.

Bodyapplication/json
One of:
actionstring(VerificationEventResponseAction)required

Determines whether the verification can be executed.

Enum ValueDescription
allow

Verification allowed

deny

Verification denied

Example: "allow"
smsobject
Response
application/json
{ "summary": "SMS OTP", "value": { "action": "allow", "sms": {} } }

Request

This callback event is a POST request to the specified verification callback URL and triggered when a verification has been completed and the result is known. It's used to report the verification result to the developer's backend application. This callback event is only triggered when the verification callback URL is specified in your dashboard.

Bodyapplication/jsonrequired
statusstring(VerificationStatus)required

The status of the verification

Enum ValueDescription
PENDING

The verification is ongoing.

SUCCESSFUL

The verification was successful.

FAIL

The verification attempt was made, but the number wasn't verified.

DENIED

The verification attempt was denied by Sinch or your backend.

ABORTED

The verification attempt was aborted by requesting a new verification.

ERROR

The verification couldn't be completed due to a network error or the number being unreachable.

Example: "PENDING"
idstringrequired

The ID of the verification request.

Example: "1234567890"
eventstringrequired

The type of the event.

ValueDescription
VerificationResultEvent

Notification Event received onto verification result

Example: "VerificationResultEvent"
methodstring(VerificationMethodReport)required

The type of the verification.

Enum ValueDescription
sms

Verification by SMS message with an OTP code.

flashcall

Verification by placing a flashVerificationResultEvent call (missed call) and detecting the incoming calling number (CLI).

callout

Verification by placing a PSTN call to the user's phone and playing an announcement, asking the user to press a particular digit to verify the phone number.

Example: "sms"
identityobject(Identity)required

Specifies the type of endpoint that will be verified and the particular endpoint. number is currently the only supported endpoint type.

identity.​typestringrequired

Currently only number type is supported.

ValueDescription
number

Identity is of number type

identity.​endpointstringrequired

For type number use an E.164-compatible phone number.

Example: "+11235551234"
referencestring(VerificationEventReference)

Used to pass your own reference in the request for tracking purposes. Must be a unique value for each started verification request. The value must be encodable in the URL path segment. This value is passed to all events and returned from the status and report endpoints. The reference can be used to check the status of verifications, like with ID or identity.

customstring(VerificationEventCustom)

Can be used to pass custom data in the request. Will be passed to all events. Max length 4096 characters, can be arbitrary text data.

reasonstring(VerificationStatusReason)

Displays the reason why a verification has FAILED, was DENIED, or was ABORTED.

Enum ValueDescription
Fraud

Fraudulent activity.

Not enough credit

Not enough credit in dashboard account.

Blocked

Blocked number.

Denied by callback

Callback response denied the verification.

Invalid callback

Callback was invalid.

Internal error

Internal server error.

Destination denied

Verification destination denied.

Network error or number unreachable

Network error or destination number is otherwise unreachable.

Failed pending

Pending failure.

SMS delivery failure

Could not deliver SMS.

Example: "Expired"
sourcestring(Source)

With the SMS verification method, a user's phone number is verified by sending an SMS containing an OTP code that must be manually returned. If you are are using an Android handset, you could instead intercept the SMS message delivery and capture the OTP code automatically.

Enum ValueDescription
intercepted

OTP verification was performed automatically

manual

OTP verification was manually performed

Example: "intercepted"
application/json
{ "id": "1234567890", "event": "VerificationResultEvent", "method": "sms", "identity": { "type": "number", "endpoint": "+11235551234" }, "reference": "string", "custom": "string", "status": "PENDING", "reason": "Expired", "source": "intercepted" }

Responses

You must return an empty 200 response.

Bodyschema

Request

This callback event is a POST request to the specified verification callback URL and is triggered when an SMS delivery receipt is received. It is used to report the final delivery status of the verification SMS. This callback event is only triggered when a verification callback URL is specified in your dashboard.

Bodyapplication/jsonrequired
smsResultstringrequired

The result of the SMS delivery. Possible values can be extended in the future.

Enum ValueDescription
Successful

SMS delivered to user successfully

Failed

SMS delivery to user failed

Example: "Successful"
idstringrequired

The ID of the verification request.

Example: "1234567890"
eventstringrequired

The type of the event.

ValueDescription
VerificationSmsDeliveredEvent

Event received onto verification request

Example: "VerificationSmsDeliveredEvent"
methodstring(VerificationMethodReport)required

The type of the verification.

Enum ValueDescription
sms

Verification by SMS message with an OTP code.

flashcall

Verification by placing a flashVerificationResultEvent call (missed call) and detecting the incoming calling number (CLI).

callout

Verification by placing a PSTN call to the user's phone and playing an announcement, asking the user to press a particular digit to verify the phone number.

Example: "sms"
identityobject(Identity)required

Specifies the type of endpoint that will be verified and the particular endpoint. number is currently the only supported endpoint type.

identity.​typestringrequired

Currently only number type is supported.

ValueDescription
number

Identity is of number type

identity.​endpointstringrequired

For type number use an E.164-compatible phone number.

Example: "+11235551234"
referencestring(VerificationEventReference)

Used to pass your own reference in the request for tracking purposes. Must be a unique value for each started verification request. The value must be encodable in the URL path segment. This value is passed to all events and returned from the status and report endpoints. The reference can be used to check the status of verifications, like with ID or identity.

customstring(VerificationEventCustom)

Can be used to pass custom data in the request. Will be passed to all events. Max length 4096 characters, can be arbitrary text data.

application/json
{ "id": "1234567890", "event": "VerificationSmsDeliveredEvent", "method": "sms", "identity": { "type": "number", "endpoint": "+11235551234" }, "reference": "string", "custom": "string", "smsResult": "Successful" }

Responses

You must return an empty 200 response.

Bodyschema